LEARN – Join ESXi Hosts to Active Directory for Authentication

The other week I had a request to join all our ESXi hosts to our Active Directory domain so we could authenticate through our users accounts. This allows for better security, tracking of each users activity, as well as giving us the opportunity to create unique and complex root passwords for each hosts.

 

To begin you’ll need a user account with the following minimal AD permissions:

• Reset Password
• Read and write Account Restrictions
• Validated write to DNS host name
• Validated write to service principal name
• Create and Delete Computer objects

You can find those requirements here.

 

I finished one site manually which took forever. To add a host follow the below steps.

 

Manual Method –

Log into your vCenter > Go to your host > Configure > Authentication Services

Click Join Domain

 

Enter Domain Name, Username with permissions as described above, and password.

 

The domain join will be quick in under a minute usually.  If it takes longer it will probably fail. A lot of times the task will be unsuccessful but the Directory Service Type and Domain will say connected as if it was successful.

If that’s the case and you can’t login to the host with your AD account you’ll need to “Leave Domain” check your account permissions and try again.

Once the host is joined you’ll want to go into advanced settings and find the below setting and add the Active Directory Group you want users to authenticate from.

Config.HostAgent.plugins.hostsvc.esxAdminsGroup

 

PowerCLI Method –

Now that we have that down I wanted to see if I could script it and it turns out you can.

The below command will join a single host to the domain. I put one host into maintenance mode to test and make sure it wouldn’t disrupt VMs.

Get-VMHostAuthentication -VMHost $VMHost.Name | Set-VMHostAuthentication -JoinDomain -Domain $Domain -User $User -Password $Password -Confirm:$False

Doing one host at a time by PowerCLI is fine but I wanted to do an entire Site/cluster at a time. So we’ll be wrapping the above command in a ForEach loop like below. The below ‘script’ will request username and password for an account with permission from earlier, the cluster you want to add, and domain to join. This will Join all hosts in a cluster to the domain. Then we’ll run a  separate command to set the advanced setting to our Admin group. It could be run within the same script but it’s just as easy to run it right after.

 

$User = Read-Host “Username”
$Password = Read-Host “Password”
$Cluster = Read-Host “Cluster”
$Domain = Read-host “Domain”
$VMHosts = Get-Cluster $cluster | Get-VMHost

ForEach ($VMHost in $VMHosts)
{
Get-VMHostAuthentication -VMHost $VMHost.Name | Set-VMHostAuthentication -JoinDomain -Domain $Domain -User $User -Password $Password -Confirm:$False
}

get-vmhost | Set-VMHostAdvancedConfiguration -Name “Config.HostAgent.plugins.hostsvc.esxAdminsGroup” -Value “$NewValue”

 

Now you can test by going to the hosts and trying to login with domain creds. You can also run this to output all domain configs.

get-vmhost | Get-VMHostAuthentication | select VMHost, Domain, DomainMembershipStatus

 

And if you want to re-run it just against ones that aren’t joined you can use the below

get-vmhost | Get-VMHostAuthentication | select VMHost, Domain, DomainMembershipStatus | Where-Object {$_.DomainMembershipStatus -NotLike “Ok”}